---
layout: docs
page_title: OIDC Provider Setup - Auth Methods - Google
description: OIDC provider configuration for Google
---

## Google

Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/OAuth2)

1. Visit the [Google API Console](https://console.developers.google.com).
1. Create or a select a project.
1. Navigate to Menu > APIs & Services
1. Create a new credential via Credentials > Create Credentials > OAuth Client ID.
1. Configure the OAuth Consent Screen. Application Name is required. Save.
1. Select application type: "Web Application".
1. Configure Authorized [Redirect URIs](/vault/docs/auth/jwt#redirect-uris).
1. Save client ID and secret.

### Optional google-specific configuration

Google-specific configuration is available when using Google as an identity provider from the
Vault JWT/OIDC auth method. The configuration allows Vault to obtain Google Workspace group membership and
user information during the JWT/OIDC authentication flow. The group membership obtained from Google Workspace
may be used for Identity group alias association. The user information obtained from Google Workspace can be
used to copy claims data into resulting auth token and alias metadata via [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings).

#### Setup

To set up the Google-specific handling, you'll need:

- A Google Workspace account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
  for granting domain-wide delegation API client access, or a service account that has been granted
  [the necessary](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd) group admin roles.
- The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
- To enable the [Admin SDK API](https://console.developers.google.com/apis/api/admin.googleapis.com/overview).
- An OAuth 2.0 application with an [internal user type](https://support.google.com/cloud/answer/10311615#user-type).
  We **do not** recommend using an external user type since it would allow _any user_ with a
  Google account to authenticate with Vault.

The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses either
Google Workspace Domain-Wide Delegation of Authority for authentication and authorization, or group admin roles granted to a GCP service account.

Links to steps for setting up authentication and authorization:
- [DWDoA](https://developers.google.com/workspace/guides/create-credentials#service-account)
- [Without DWDoA](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd)

In **step 11** within the section titled
[Optional: Set up domain-wide delegation for a service account](https://developers.google.com/workspace/guides/create-credentials#optional_set_up_domain-wide_delegation_for_a_service_account),
the only OAuth scopes that should be granted are:

- `https://www.googleapis.com/auth/admin.directory.group.readonly`
- `https://www.googleapis.com/auth/admin.directory.user.readonly`

~> This is an **important security step** in order to give the service account the least set of privileges
that enable the feature.

#### Configuration

- `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
- `gsuite_service_account` `(string: <optional>)` - Either the path to or the contents of a Google service
  account key file in JSON format. If given as a file path, it must refer to a file that's readable on
  the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped.
  If left empty, Application Default Credentials will be used.
- `gsuite_admin_impersonate` `(string: <optional>)` - Email address of a Google Workspace admin to impersonate.
- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from Google Workspace.
- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from Google Workspace using the configured [user_custom_schemas](#user_custom_schemas).
- `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
- `user_custom_schemas` `(string: <optional>)` - Comma-separated list of Google Workspace [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
  Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.
- `impersonate_principal` `(string: <optional>)` - Service account email that has been granted domain-wide delegation of authority in Google Workspace.
  Required if accessing the Google Workspace Directory API through domain-wide delegation of authority, without using a service account key.
  The service account vault is running under must be granted the `iam.serviceAccounts.signJwt` permission on this service account.
  If `gsuite_admin_impersonate` is specifed, that	Workspace user will be impersonated.

Example configuration:

```
vault write auth/oidc/config -<<EOF
{
    "oidc_discovery_url": "https://accounts.google.com",
    "oidc_client_id": "your_client_id",
    "oidc_client_secret": "your_client_secret",
    "default_role": "your_default_role",
    "provider_config": {
        "provider": "gsuite",
        "gsuite_service_account": "/path/to/service-account.json",
        "gsuite_admin_impersonate": "admin@gsuitedomain.com",
        "fetch_groups": true,
        "fetch_user_info": true,
        "groups_recurse_max_depth": 5,
        "user_custom_schemas": "Education,Preferences",
        "impersonate_principal": "sa@project.iam.gserviceaccount.com"
    }
}
EOF
```

#### Role

The [user_claim](/vault/api-docs/auth/jwt#user_claim) value of the role must be set to
one of either `sub` or `email` for the Google Workspace group and user information
queries to succeed.

Example role:

```
vault write auth/oidc/role/your_default_role \
    allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
    user_claim="sub" \
    groups_claim="groups" \
    claim_mappings="/Education/graduation_date"="graduation_date" \
    claim_mappings="/Preferences/shirt_size"="shirt_size"
```
